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NATIONAL FOREIGN ASSESSMENT CENTER 

WASHINGTON, D. C. 20505 


16 October 1979 


MEMORANDUM FOR: Chairman 

NFIB Working Group on Camj^rtmentation 


FROM 

SUBJECT 

REFERENCE 


Chief, Requirements and Evaluation Staff/NFAC 

APEX Sec urity M anuals for Government/Industry- -CIA 
Comments 


Walsh Memo to Working Grou p re AP EX Security 
Manuals, 28 September 1979 I 


25: 




1. This memorandum contains the comments of the NFAC, the 
D/S§T, the D/0, and the D/A, respectively, on the draft APEX manuals 
for government and industry (annexes I and II to the APEX report) , 
dated May 1979. Several comments are rather general owing to a lacK 
of specificity in the text of the manuals. Presumably these general 
guideline portions of the manuals will be spelled out prior to _ 
further NFIB consideration of the manuals as called f or in the minutes 
of the 58th NFIB meeting, 25 September 1979. 


2. A number of the NFAC comments, which are with one exception 
limited to the government manual, relate to the potential additional 
resource burden of accounting for APEX documents and the role of the 
Senior Intelligence Officers (SIOs). The D/S$T defers to the approp- 
riate program manager s for comments on the industry manual. The u/ 
focuses on the l | category. The iVA's comments range widely ' 

the impac t on the reproduction of caoles to the impact on OC s ComSec 

efforts. 
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Directorate Positions. -- NFAC : 


3. The NFAC comments do not address the sanitization and 
decompartmentation guidelines, which are the most critical issue or 
it and other producers of finished intelligen ce. Also , there are 
concerns within NFAC about the abolishment of I ~ l^ ut t} l e ^ AC 
defers" to the pro gram man ager and the security specialists tor de- 
tailed comments. 


4. The industry manual makes no mention of Contracting 
Officers' Technical Representatives (COTRs) . Because they often 
are more involved than contract officers it would s eon that they 
too should be included in the text, with guidance provi ded on 
handling materials, among other special considerations. | [ 


5. There is a generalized concern in NFAC that the govern- 
ment manual wording appears headed to the control of SCI raw- data 
and processed- information documents, especially cables such as 
those issued by the National Security Agency, in the manner of 
those that are "green- sheet-covered" Top Secret. This would 
impose a very serious problem for the Center . One office recently 
undertook a small study of the implications of controlling SCI 
cables through its registry system. The study indicated a need 
for 3 . mirnmrn of five additional people to provide satisfactory 
control of the system including the reproduction, distribution, and 
file maintenance of this document flow. This resource issue needs 
careful a ttention as ways are sought to impose more strict document 

control. r~~~ i 


6. NFAC /OCR has reviewed the government security manual and 

finds that it causes immediate problems for two new systems, its 
Automated Document Storage and Retrieval (ADSTAR) system and SAFE. 
OCR will begin in November 1979 the conversion of the last three 
years (CY 1977-79) of its document holdings from present format 
to the ADSTAR blip-coded 16mm microfilm. The APEX manual suggests 
that there could be changes in the requirements for the handling 
of the SCI documents now on file. Therefore, OCR needs to know _ 
what these changes will be before it undertakes a costly conversion 
process that may have to be redone. .APEX poses other problems for 
ADSTAR. They are raised below, along with the specific comments of 
the other NFAC entities. I I 
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a Page 1, INTRODUCTION. This manual needs a better 
explanation of specifically what APEX is. It would be use- 
fill to say what special access systems are covered. For 
example, "APEX was established to control what has been re- 
cently blown as Sensitive Compartmented InfoTmation,and 
specifically covers...." In this paragraph, and throughout 
the manual, the effort to keep the classification of the 
manual at the lowest possible level had led to a lack of 
clarity. The second paragraph of the Introduction talks about 
classification of terns ; the manual itself is not properly 
classified- -it needs portion markings or a general state- 
ment. Paragraph three suggests that changes may ^come 
necessary in the handling of what are now termed SCI materials. 
Any -substantial change in the handling of these materials 
could have a major change on OCR's central document resposi ry 
and bibliographic index. (This is a general problem for all of 
NFAC but specifically for OCR.) It is particularly ™P£rtant 
that OCR understands how present SCI materials will be handl 
in the future as it begins the conversion of the three most 
recent years of document holdings for ADSTAR. 

b. Page 2, Organizational Structure. A clear definition 
for Senior Intelligence Officers (SIOs) is needed. In the 
unified and specified commands, there are SIOs at a wiety 
of levels. In contrast, CIA has only one SIO- -the (Deputy) 
Director of NFAC who advises the DCI on questions of 
compartmentation. This factor becomes extremely ^portant 
when an SIO, for example, can waive certain investigative 
requirements (VIII. c) if he wishes to authorize an individual 
access to the APEX system prior to the completion of a full 
investigation. The SIO also has a number of other important 
powers. Unless the SIOs* responsibilities are more strin- 
gently defined and the level at which they operate, the SIOs 
in a number of agencies and dep artments may well have far 
more authority than, necessary . 

c. Page 2, Paragraph 8. It would be useful to know 

whether APEX Cont rol Facil ities are bounded physically or 
organizationally. | • . t 

d. Page 2, Penultimate Paragraph. The difference 
between the ACO and ASO is not clear. Suggest rewording to 
say: "Because of the separate responsibilities of the ALU 
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and the ASO [see page 8], it is preferable that these 
positions not be held by the same individua l.... At what 
organizational level will they be located? 


e. Page 3, Second Paragraph. This paragraph indicates 
a variety of different compartments in APEX but only one, 

I is addressed in the manual. The sigificance and 
implications of the other compartments should he addressed. 
fSee relevant D/0 comments below.) The NFAC suggests that 
some examples be provided for u se of ca tegory terms, code- 
words, and special designators. 


f. Pace 4, Paragraph c. Should an annual approval 
review for accesses be required, NFAC would have to cope 
vp ih more than 8,000 clearances under today's systems. 
*jost recently, such an exercise required four man-months 
of one security officer’s time in . addit ion to the time 
expended hy the NFAC components . 


g Pa~e 4, Paragraph e. It would appear xiupos s ibl e 
for anyone in OCR Cor other processing units) to _ account for 
. a ii ap*EX documents under his/her control or cognizance ^..ould 
a' V SCI documents retroactively be converted to APEX. For 
e? cole, a number of supervisors up the line have respon- 
s^litv for the central library of 11 million documents. 

Cr' : -r offices in NFAC will have similar problems because the 
materials are held in a large number of s afes or c abinets 
under the control of individual analysts. | | 

h. Page 4, Paragraph g. Under existing procedures 
for granting access to compartmented information, the 
Department of Defense and the unified and specified cormands^ 
demand access to compartmented information down to relatively 
low-level units. The need to know for many of these units 

is very questionable.- The NFAC would, therefore, favor even 
more restrictive language in this paragraph; otherwise 
sensitive informat ion woul d continue to flow to levels that 
do not require it. | | 

i. Page 5, Paragraph h. The two phases of APEX- 
GENERAL access seem unnecessary, and poorly defined. A 
computer technician can have access to more APEX material 
than a file clerk. The establishment of a general access 
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seems questionable. The file clerk, document control 
clerk, and computer technician- -with broad access to a 
variety of APEX documents- -present a greater security risk 
than does the analyst with full access to a limited number 
of documents. (If phases are to be differentiat ed, "gro ups" 
or "classes” seem to be more appropriate terms.) | 


j. Page 8, Paragraph VII. a. 2. 83.. The ACO is identified 
as the exclusive control point for receipt and dispatch. 

This is almost impossible in an operation as large as OCR. 
Suggest rewording to say that the ACO ensures the proper 
receipt and dispatch.... Additionally, note if, as stated 
previously on page 2, the ACO and ASO are not the same 
individual, a great duplication of effort will result. The 
ACO duties 4 and 5 are parallel to ASO duty 2. 


k. Page 10, Paragraph d. There are formidable 
political and perhaps legal obstacles to obtaining agree- 
ment from other agencies and departments on administering 
polygraph tests to individuals having access to APEX 
material. The NFAC believes, however, that agencies should 
have a reserve power to insist upon administering poly- . 
graoh tests when derogatory information or inconsistencies 
arise that could impact on an individual's security status. 
The right to selective use of the polygraph on individuals 
having access to APEX information would be a minimal safe- 
guard 0 if the US governm ent is to stem the current flood of 
security leaks . | 


1. Pages 9-16. The almost seven pages on security 
Standards, with the heavy emphasis on investigation and 
reinvestigation, offer a stark contrast to the two pages 
on security education. All the checks and controls in a 
security control system are for naught if the people within 
the systen do not understand and participate in the system. 
This requires a vigorous program of security education and 
awareness at all levels, f I 


m. Page 18, Paragraph XI. a.. An "APEX control organiza- 
tion" is identi fied. It should be described and stated where 
it is located. | 
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n Page 18, Paragraph XI .b. Will the central Tecord of 
APEX cleared personnel be a modification of SPECLE? OCR is 
using SPECLE data as the basis for its security access 
package, and changes to SPECLE could re quire changes m the 
OCR software for this package. | 


o. Page 19, Paragraph XII. a. In the last sentence,^ 
guggest de letion of * ‘where normal management. . .sufficient. 
Inclusion permits judgments to be made as to the sufficiency 
a bf "normal management and safeguarding procedures to pro- 
tect intelligence— an incomprehensible situation. If conpart- 
mented information is presented, it should be identified as 


25 


,:cp.. Pace 19, Paragraph XII. b. The definition of compart- 
mentation is confused by the inclusion of sanitization as a 
form of decomoartmsntation . It would be preferable to use 
the definitions the sanitization and deco mpartmentation panel 
(Task Group 4) develop ed this past spring I I 


1 


This paragraph states 'To the extent possible, 
tnaterials nrotected under the APEX Security Control System 
Va deccmartmented . " The manual does not, however, 
discuss bibliographic citations (numbering about 3 million), 
an Important concern of OCR- -particularly in light of tne 
current proposal that OCR's bibliographic index be reviewed 
as a possible Community system. The NFAC recommends that 
this manual contain a statement on bibliographic citations, and 
"that this statement indicate that bibliographic citations 
. for automated indexes can be handled outside the APEX system _ 
viz. , that the cita tions t hemselves do not have to be treated 
as APEX materials. I 


n. Page 21, Paragraphs XIII. a. and XIII .b.l. In the 
first, it would seem appropriate to include a statement about 
.■ derivative classification and the classification decisions of 
others. As for the second, a statement should be added to 
the last sentence to indicate that each article i n a per iodi- 
cal should also be marked as a separate document. I l 
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T. Page 21, Paragraph XI 1 1. b. 2. Recommend that the 
"HANDLE VIA. . marking not be placed on each page. It would 
serve only to add more clutter to the information presented. 
Also suggest ,f ba ck page , and first page" read "first page, 
and back page." 

' s. Page 21, Paragraph XIII -b. 4. The second sentence 
should be revised to indicate that control numbers are not 
necessary when a document has a unique identifying number. 
When a document has more than one number by which it can be 
identified, storage and retrieval are complicated. This is 
extremely important- -it has cost implications as well as 
document control as pects, and would be an improvement on 
the present system. | | 


t. Page 22, Paragrap h 5. 
ous "when it is necessary." 


Sugg est deletion of anibigu- 


u. Page 22, Paragraph 6 . The NFAC has some concern re- 
garding the reason for extended classification; can this manual 
be used as the reference, or should the reason be more 
closely tied to Executive Order 12065? | 

v. Page 22, Paragraph 8. Will it be _ necessary to 

remark current files? Will future acquisitions of raw 
traffic necessarily be treated in this fashion? Suggest 
the second sentence read "The c lassifica tion and handling 
controls for such material...."! I 


w. Page 23, Paragraph XIII. c. 5. The ’TO BE RETURNED..." 

marking is not as clear as the present "PROPERTY OF U.S. 

GOVERNMENT..." marking, which also includes a phone number . | 

x. Pages 24 and 25. OCR, in particular, has concern 
about the reproduction and accountability of Top Secret (TS) 
documents. For years the control of collateral TS documents 
has been governed by tight accountability. If TS-compart- 
mented materials are to be treated also with this tight 
accountability, OCR's costs of handling these materials will 
sizably increase unless there is a decrease in the volune 

of this material. (OCR currently disseminates about 900 MSA 
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hard-copy TS documents a month; in the process it must re- 
produce a number of copies of each document.) Some sort of 
reasonable modification of these guidelines is necessary in 
order for OC R to diss eminate and to provide document service 
effectively. I 


If strictly adhered to, this requirement would 
encumber the production process , in that mo st analysts at 
one time or another clip and paste. 


y. Page 24, Paragraph XIII. f. Suggest first sentence 
read "...has been served, APEX-controlled material wall be 
destroyed as prescribed by existing record control policy and 
in a manner. . . ." I [ 


z. Page 25, Parag raph 3. The requirement for random 
audits of non-TS and non l I APEX documents appears to_ 
require that ISG maintain an inventory of all APEX materials 
filed in its bio graphic and organizational files--a totally 
impossible task. 

aa. Page 25, Last Paragraph. This could be worded 
mere clearly to say something like: "Dissemination records 
arc not required for the normal distribution and processing 
of raw intelligence APEX data provided it remains under the 
control...." ^Moreover, i llustra tions of "raw intelligence 
data" should be provided. | | 


bb. Page 27, Paragraph c. It would seem that among 
the elements on each microfiche readable without magnifica- 
tion would be the APEX control and copy numbers. | 


cc. Page 27, Paragraph d. The requirements for target 
pages and extra labeling of microfilm containers will slow down 
the production of film for ADSTAR, whose basic purpose is to 
provide faster service. The value of target pages is question- 
able for any microfilm; it is particularly so for ADSTAR. Film 
will be stored in cassettes that are mounted in storage modules. 
Viewing of this film is only through _ a _ computer- assist ed re- 
trieval process, which limits an individual’s acc ess to o nly 
those documents for which he/ she has a clearance . 


25X1 


25X1 
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dd. Page 26, Paragraph XIV. b. Suggest the more general 
term 1 'opaque" vice "metal." New materials are now in develop- 
ment. f 1 


The requirement for marking the outside of those 
microfilm cassettes that are stored in the ADSTAR modules 
seems unnecessary also. It provid es no further security 
protection for this system, f 

ee. Page 31, Paragraphs XVII .b. 2. and 3. Although this 
is a continuation of similar TKH policy the NFAC does not 
believe it to be the best policy nor does it reflect the 
current concern over disclosures. If APEX is designed to 
permit greater nonccsnpartmented dissemination, then infor- 
mation that remains in APEX compartments should be protected 
to the greatest degree possible. Even though these are after- 
the-fact procedures, they should be more specific as to the 
responsibilities of the ASO. Ideally, all disclosures and 
compromises, real or suspected, should be reported and inves- 
tigated. | | 

Directorate Positions. -- D/S5T : 

7. The comments of the D/S6T are general; it is assumed 
that most of the specific details will be worked out prior to 
the approval of these manuals. 

a. It is recommended that adoption of the APEX 

security manuals be on condition that the standards and 
responsibilities be defined more fully — with NFIB approval 
required- -before their implementation. For example. Senior 
Intelligence Officers (SIOs) are responsible for implementing 
the procedures in the APEX sy stem but "SIOs" are not further 
defined or identified. | | 

b. It is further recommended that security guides 
and implementation handbooks be published by the APEX 
control organization for each topical area, e.g. , I _ l 
as the terms become better defined^, and in concert with 
community implementation. Each of the present sensitive, 
Compartmented programs are handled in special channels. 
Documents in these programs are now separately stored, 
with a full-time custodian responsible for logging. 


-9- 
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filing and granting access to the file by those formally 
cleared to review this material. It is not clear whether 
sane or all o f these programs may be encompassed an the 
new APEX (and I I system (s) . | | 


c. These handbooks* should be published at each phase 
of' the APEX implementation schedule to assure that community- 
wide understanding, and more importantly consistency, is 
achieved. The proposed manual offers general guidelines, but 
does not attempt to explain step-by-step implementation pro- 
cedures. The D/S^T -was advised earlier that it is anticipated 
that manv months of briefings and training by representatives 
of the Security Committee would be necessary to accomplish 
this task, and in its view this material could best be pre- 
sented in the form of implementation handbooks. 


Directorate Positions . — D/0: 

8. With respect to the Security Manual for Industry — 

compartment should 


2, . /Ul. VW W I I "X ■ • 

be deleted from this manual. Page 1, I. INTRODUCTION , 
third paragraph, delete "an d the e specially sensitive 
material designators in the I I catego ry. Th is 

recommendation is made on the basis that I ] materi al 

is not appropriate for dissemination to contractors . 

I ~ J j s not mentioned elsewhere in this manual. 


All reference to the 


b. It is noted that the document numbering systems 
for contractors and Government differ, which is bound to 
result in confusion and compound the complexity of the 
system. Therefore, it is recommended that both contrac- 
tors and Government use the ACS -prefix for the document 
numbering system. | 


25X1 
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* Published for each major subject, i.e-,. , access approvals, classifica- 
tion guidelines, document controls, etc., that develops during the 
preimplementation process is one possibility to assure community-wide 

consistency. 
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9. And with respect to the Security Manual for Government — 


a. The sensit ive material designators for infor- 
mation in the l ~1 category should be classified. It 

is recommended, therefore, that the second paragraph, page 
1, I. INTRODUCTION, Line 5 be changed to read as follows 
after the word TECHNICAL: 'The codewords that identify 
highly sensitive collection projects and the sensitive 
material designators for the l 1 compartment may be 
used outside the APEX control system but must be pro- 
tected by the standard classification level of 
CONFIDENTIAL." | | 


b. Page 5, Section VI. 
sentence to paragraph 1: I 
provided to contractors." 


]--Add the following 


| material may not be 


C. Page 7, c.4. (b) s torage--Add the following 
sentence to bring the | | protection in line with 

the current approved handling of sensitive HUMINT, 
which has been designated for inclusion within the 
| compartment : "Storage facilities in separate 
and dedicated rooms may be required for designated 

[ categories at the discretion of the originator." 

d. Page 24, g. Reproduction — Add to second 
paragraph: I I compartment material may not be 
reproduced. Addi tional copies must be obtained from 
the originator." | 

e. Page 26, a. Automatic Data Processing— Add 

the following: ! I cont rolled m aterial may not be 

included in ADP systems." | 

f. Page 27, c. Microfiche — Add the following: 

| | controlled material may not be included in 

microfiches." | | 


[ 


g. Page 27, d. Microfilm- -Add the following: 
"^contro lled material may not be included in 


microfilms." 


- 11 - 
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10. These comments reflect the D/O's concern for the han- 
<H ins and control of sensitive HUMINT information that will appear 
in the I I compartment. The general provisions of the security 
manuals were previously coordinated with the D/0, and contain 
basically the same information and restri ctions as are now in 
effect. for the various SCI compartments . | 


Directorate Positions. -- D/A : 


11. There is an absence of any mention of establishing billets 
within the APEX Control System corresponding to positions rdiere^the 
"need-to-know" access to APEX- control led information can be predeter- 
mined and justified. Whether this was deliberate m the belief that 
it would further complicate the systems is unknown. The idea ot a 
billet system is not new for it would provide a mechanism whereby 
the APEX Special Access Control System could be policed and permit 
easier, periodic evaluation of an organization’s access require- 
ments. I I 


12; With respect to aspects of records and classification manage- 
ment, the D/A has identified the following problem areas. 


a. The manual should be portion marked to be in_ 
conformance with section 1-504 of Executive Order 12065. 


b. Section XIII .b.6. provides a classification auth- 
ority and duration marking (described as a ’’Declassification 
Review Notice") for all APEX materials. The elements of the 
marking consist of: 


-- the identity of the classification authority by 
the use of "CLASSIFIED BY", 


.- the date for declassification review by the use 
of "REVIEW ON”, -or "REVW” in electrically transmitted 
messages, and 


-- the reason for classification is ext ended be- 
yond 6 years by the use of "REASON FOR EXTENDED 
CLASSIFICATION." | 


(X) The above is incomplete. Most notably there is 
missing a requirement to identify the office of origin an 
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the official who authorized the classification extension 
beyond six years, as specified in E.O. 12065, sections 
1-501 and 1-502. Additionally, section 1-501 (c) of the 
Order prov ides for a n event of declassification as well 
as a date. P ! 


*• (2) An additional concern is that if this portion 

of the manual becomes obligatory, CIA regulations on 
classification markings will have to be amended either to 
eliminate the markings currently in effect or to add the 
new ones. No matter which way it is done, the end result 
will be a system of markings that is not as good as the 
pne CIA has; this is probab ly true in other Government 
agencies as well. | ] 


(3) The D/A suggests that instead of dictating what 
all the national security markings on APEX materials are 
to be the manual state only that the markings must be in 
conformance with. Agency requirements under E.O. 12065 for 
non- APEX (collateral?) material, and spell out only the 
requirements such as codeword designations that are unique 
to APEX. I I 


C. Section XIII. f. states that as soon as possible 
after its purpose has been served, all APEX-controlled 
material will be destroyed. Destruction times are also 
provided in the seventh and eighth paragraphs of this 
same section under h. 


(1) Title 44 USC 33 and FPMR 101-11.4 require^ 
that destruction of records be approved by the Archivist 
of the United States in the form of records control 
schedules. Any dest ruction of records without this 
aooroval is illegal. I I 


I 


d. Section XlV.b. needs clarification. Should slides 
be labelled on the images themselves or on the slide mount? 
If the slide mount needs to be labelled, it will be very 
labor-intensive. Should the film. negatives and/or negative 
holders be marked? Also, it appears that instead of metal 
containers, what is really meant is opaque containers. Infest 
film containers are now plastic and may be either opaque or 
transparent. | | 
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e. Does section XIV. d. mean that a classification 
e ye- rea dable target should appear before and after each 
document on the roll of film? If so, this is not possible 
on COM-produced material and would require a lot of time 
and effort on source document-produced material. Addition - 
ally, not all COM re corders will produce eye-readable titles 
25X1 on roll film. I I 

13. The Office of Communications has reviewed the draft of the 
subject manual and requests the following changes thereto: 

a. Page 18, Paragraph X.c. Delete the draft para- 
graph and replace with the following: 

"c. Compromising Emanations Control (TEMPEST 
•Security) . All equipment and facilities used to 
transmit or process APEX information electrically, 
including communications , word-processing and 
automatic data- processing systems, must satisfy the 
requirements of: 

1. KXL-HDBK 232 - RED/BLACK Engineering - 
Guidelines. Note: MIL-HDBK 232 will be used 
-until NACSEM 5203 - TEMPEST Guidelines for 
Facility Design is published at which time the 
latter document will replace MIL-HDBK 232. 

2. KAG-30 - Conpromising Emanations Standard 
for Cryptographic Equipment. Compromising 
emanations from equipment and wire lines pro- 
cessing APEX information must be contained ^ 
within a control zone that is under sufficient 
physical and technical control to pre clude a 

successful hostile intercept attack." | ~| 25> 

b. Page 23, Paragraph XIII. d. Modify as indicated 
below: 

"d. Electrical Transmissions". "APEX material 
transmitted..." no change to draft. 

• '’The transmission of APEX. . ." delete and 
replace with: "Electrical transmission of _ 

APEX information shall be limited to specifically 
designated and accredited communications circuits 
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secured by a government -approved cryptographic 
system and/or protected distribution systems. 
Electrical communications facilities used for 
the transmission of APEX information shall be 
accredited by the cognizant APEX Security 
Officer in coordination with the department or 
agency coimnunications security activity.*' 

"Electrical transmission of APEX...” delete. 

"Material transmitted by accredited..." no change 
in draft. 


"The first item..." no change to draft. 


14. The above changes are necessary to: 

a. Make the document more specific and hence, more 
useful to the user; 

b. Eliminate citations of outdated policy documents; 

and, 

c. Delegate electrical transmission equipment, and 

facility accreditation from the DCI to the cognizant APEX 
Security Officer in coordination with his or her support 
ing COMSEC activity. | | 

15. OC notes that the appendices that are listed in the table 

Of contents and mentioned throughout the text are not included in 
the manual. I I 

16. In addition to the specific language changes requested in 
paragraphs 13. a and 13. b above, OC has these general concerns. 

a. Page 5, Paragraph h. Consideration should be 
given to removing the examples of personnel cited in 
Phase I and Phase II to eliminate confusion at a later 
date. The definitions of Phase I and II could end, in 
both cases, after the first sentence. The inclusion of* 
communications personnel in Phase I is not, for example, 
a good illustration. Most communicators who process 
APEX info rmation do have access to substantive APEX 
material.l 
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b. Page 24, the 4th subparagraph of Paragraph d. 

It is assumed that the requirements for marking electrical 
transmissions as stated will not preclude the printing of 
the acronym APEX on the side of each disseminated cable to 
replace the "SCI" acronym currently used. | 


25X1 


c. Page 24, subparagraph e. It is assumed that the 
requirement for cover sheets does not extend to cover- _ 
sheeting cable receipts. If it does, the Cable Secretariat 

Branch of OC’ I squire 

additional personnel resources to accommodate coversheeting. 


d Page 24, subparagraph f. It is assumed that the 
requirement to maintain destruction records does not include 
cables, routinely destroyed during proces sing and reproduc- 
tion within the Cable Secretariat Branch. 


25X1 


e. Page 24, subparagraph g. The requirement that per- 
mission be obtained to reproduce Top Secret APEX material 
should not include cables. If it does, again, there would be 
■serious resources implications for the Cable Secretariat 
Branch, and unnecessary time delays in the centralized cable 
dissemination act ivity. Suggest that cables be excluded from 
; tlu s requirement . 


25X1 


'17. Although the foregoing comments are offered in t.he context 
of the CIA Cable Secretariat, the same concerns would probaoiy be 
shared by cable dissemination centers throughout the Intelligence 


18. The Office of Data Processing finds the manuals well written 
anc clear, for the most part, but the depth of treatment of various 
aspects of APEX is uneven. It assumes subsequent manuals bank- 
books within member agencies will provide working-level guidance. 

OOP's area of greatest concern, naturally, is ADP- The simple 
statement on computer security in para. b. of s ection X whi 
reasonable on the surface, is a dangerous gloss. DCID 1/16 is not 
a completely workable directive at this time, nor is it expected to 
be in the near future. Hie DCI’s covering memo C e£ f^tive 6 Junq 
1978) on the current version of DCID 1/16 recognized this fact by 

stating: 
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The diversity and complexity of such computer 
systems now in place in the Community and 
those designed for future placement may not 
provide for compliance with the requirements 
of the directive in their entirety. Recog- 
nizing both the validity of the requirements 
and the difficulty involved in their applica- 
tion to currently installed and already 
designed ADP system, the extent to which the 
exceptions to the requirements of this_ 

Directive are applied to such systems is left 
to the determination of each National Foreign 
Intelligence Board (NFIB) member in view of 
his ultimate responsibility for the protection 
of intelligence information. I I 

The implemented of APEX should be aware that DCID 1/16 was written 
with the full knowledge that CIA computer systems (existing and 
planned) could not comply in a strict sense to all it s provis ions, 
particularly if SCI or APEX information was involved. I I 

19. Areas of principal concern for ODP are access approvals 
for ADP personnel programming and operating computer systems that 
process APEX material, access approvals for users of computer sys- 
tems that process APEX material, marking and control of hard-copy 
(printer) output that is APEX-controlled, marking and control of 
magnetic media containing APEX data, and header information for 
microfiche or COM output of APEX data j | 

a. OOP’s current practice for SCI -ac cess a pprovals 
for ODP personnel is to give everyone SI/TK j l and. to 
request individual compartment accesses for those with a 
need to know because of pro j ects they are worki ng on. How 
this would be handled under APEX is not clear. | 

b. Until recently, because ODP could not ensure 
that ODP terminal users would not be exposed to SCI 
material accidentally, they were required to have SI/ 

TK access also. The Office of Security relaxed this 
requirement so that only those .terminal users who 
actually process SCI material are required to have SCI 
accesses. Ag ain, how this would be handled under APEX 
is not clear. |~ 
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c Classification and SCI markings on hard-copy 
(printer) output from ODP computer systems is currently 
the responsibility of the person initiating the computer 
program producing the output. ODP provides users with 
utility programs to facilitate these markings but 
accepts no responsibility for ensuring their use. _ Com- 
puter printouts containing SCI material are normally 
treated as uncontrolled "working papers" when they are 
released to users at ODP distribution points. If 
the material is to be logged and controlled, the OD 
user assumes this responsibility. How AP.tX markings 
and document control for compu ter prin touts will be 
handled needs to be clarified. I I 


d. SCI handling of ADP magnetic media as 
described in Section XIV, para, a., is a current 
requirement, hut ODP docs not do it £or mEteriad^ 
that stays within its conputer centers. The ration- 
ale is that the computer centers and their attached 
tana, libraries constitute secure controlled areas 
(AFC s under APEX); therfore, marking magnetic media 
Stored within these areas serves no purpose. It is 
or.lv when magnetic media are removed from conputer 
centers that external marking must be placed on the 
media and their container. We assume ODP mi l be 
allowed to continue this practice under APEX. I 


e. CIA currently produces large volumes of 
SCI material on microfiche, roll microfilm, and COM. 

To OOP’s best knowledge, none of the systems producing 
these microfilm images provide for human-readable 
headers of the type described in Section XIV. para, b., 
c. , and d. Implement ers of APEX should be aware that 
the CIA will incur a large conversion cost, in dollars 
- and manpower, if this aspect of APEX is strictly 
enforced. In addition, a major system now in develop- 
vment, AD STAR for NFAC, cannot comply with these pro- 
visions. 


I 


20. Will i 1 material be excluded from ADP systems? ODP 

infers fro m Secti on VI. para. c. that it will, but this should be 
clarified. | | 
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21. What is the APEX policy on polygraph interviews of per- 
sonnel being granted access? Section VIII. paragraph d. , subpara- 
graph 13. leaves room for this requirement but does not state it 
explicitly. ODP would argue strongly for polygraphs for per sonnel 
with access to APEX, especially through ADP systems. 

22. Section IX. paragraph b. is somewhat ambiguous as to who 

does accreditation for whom . Possibly better punctuation would 
clarify this point. | | 

23. Representatives of the Office of Security have submitted 
comments and suggested changes to previous drafts of the APEX 
Security Manuals, some of which appear to have been incorporated 
in the most recent draft, some of which have not. This memorandum 
does not reiterate those previous suggested changes relating to 
syntax, grammar, or minor alterations. OS, however, does wish to 
express a general concern regarding the lack of spec ificity o f 
the manuals and also suggest three specific changes. | 

24. Regarding the lack of specificity, one of the most re- 
curring comments received by representatives of the Office of 
Security during discussions with corporate security officers is 
the lack of uniformity among the various Intelligence Community 
customers concerning security procedures or directives. These 
corporate representatives express a desire to have a manual that 
provides specific policies, procedures and detailed guidance that 
can uniformly be applied to various SCI customers. The proposed 
manuals provide guidelines for the security and control of APEX 
material, but agencies are expected to ’’continue to provide basic 
direction and classification guidance." There are several instances 
of vague terminology in the manual, e.g. , "timely submission," 

"as soon as possible," "as soon as feasible," etc., which beg the 
issuance of a host of implementing directives --probably in conflict 
with one another — from several Government agencies engaged in 
compartment ed activ ities and which may well result in a lack of 
uniformity. | | 

25. Three specific changes requested by the Office of Security 
are as follows: 


25A 


25)1 
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a. Courier Procedures. The proposed manuals prohibit 
transmittal of 'APEX material via non-US Government-operated 
or charter aircraft except when the Armed^Forces^Cour ler ^ _ 
Services (AFCOS) are used. The Security Staff, ODQE/DDoqT, 
operates an extensive courier system that carries a large; _ 
volume of SCI material on both domestic and international air 
routes. They are required to utilize commercial air carriers 
frequently. In addition, professional security officers of 
the Office of Security are occasionally dispatched in response 
to special courier requirements and require use of commercial 
air carriers. It is requested that the restriction on trans- 
mittal of APEX material via no n-US Gov ernment-operated or 
chartered aircraft be removed. | 


b. Terminat ion Secrecy Agreements . The manuals require 
Termination Secrecy Agreements be executed for individuals being 
debriefed from APEX access. The Office of _ Security endorses 
this concept, but requests the form be entitled Termination of 
; Aecess/Security Reminder vice Termination Secrecy Agreement. 

This is compatible with recent legal decisions that the term 
"Security Reminder" is preferable to a "Secrecy Agreement 
because there really is no valid agreement (i.e., contract) 
upon termination owing to a lack of consideration, in tii.~ 

leaal sense. The Office of Security is in the process of 

having the present form revised along the lines suggests^. 


c . Concessional Access . Section XVI , paragraph. _5, page 
20, of the Government manual "states requests for exceptions to 
Clearance standards in the case of nonelected persons in the 
Legislative Branch should be referred to the DCI Legislative 
Counsel for resolution. The Office of Security takes tne 
position that exceptions to clearance standards are not the 
prerogative of the Legislative Counsel although OLC could be 

the channel for obtaining an exception. Therefore OS 

recommends the words "for resolution" be deleted. 
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SUBJECT: APEX Security Manuals for Government/ Industry- -CIA 
\ Comments | | 


DISTRIBUTION: 

1 - Addres 
1 - D/NFAC 
1 - D/OCO 
1 - D/OSR 
1 - D/OGCR 
1 - D/OWI 
1 - D/OER 
1 - D/OPA 
1 - D/OSI 
1 - D/OIA 
1 - D/OCR 
1 - C/PPG 
1 - C/Admin Staff 
1 - C/RES 

3 - DDO/1 ^1 

3 - DDS§' 

5 - DDA 
1 - OGC 

1 - Executive Registry 
1 - NFAC Registry 
1 -| | Chrono 

1 - RES/SPG Project File (APEX) 

1 - RES/SPG Chrono 

;i NFAC/RES/SPG t |j p:160ctoberl979 
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